|
assess...educate...advise
|
Audit
the proof is in the pudding
The goal of an audit is to verify that the controls described within policy exist within the infrastructure and operations of the institution and are effective. A General Controls Audit is well defined and anyone can go to the ISACA web site and find a discrete set of controls to test.
Seems pretty straightforward, right? ...Not exactly. Most firms conduct audit with a cookie cutter approach using a checklist of controls to test for without really understanding what the controls do. If those controls aren't there then it's considered a deficiency.
R.I.S.C. takes a different approach. While we still leverage COSO and CObIT, our CISA's bring hands-on systems experience and banking domain expertise resulting in higher value to our clients. We begin by reviewing the most recent risk assessment since a proper risk assessment should provide insight into existence of controls and drive the audit program. And while primary controls might not exist, there might be several compensating controls that satisfactorily ensure:
Availability
Integrity
Confidentiality
Accountability
Assurance
Thus, what might appear deficient to the inexperienced eye could very well be satisfactory to someone who understands systems, banking and controls. To approach Audit in any other way is a disservice to the client.
|
|